European Commission, experts uneasy over WP29 data portability interpretation
- by 7wData
The European Commission has written to EU Privacy regulators to express concern over their interpretation of the data portability clause in the General Data Protection Regulation.Â
Specifically, the Commission appears to be worried that the regulators have interpreted too broad a scope for the GDPR's Article 20. The Article 29 Working Party (WP29), the group that represents EU Privacy regulators, issued guidelines earlier this month in which it said "the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity."
The guidelines went on to specify that this could include "observed data provided by the data subject by virtue of the use of the service or the device," such as the subject's search history, traffic data and location data – and even "raw data such as the heartbeat tracked by a wearable device."
The WP29's guidelines are supposed to harmonize the approaches of regulators across the bloc as they handle complaints about the GDPR's application, once it goes into effect in May 2018.
"We value the work of [WP29] on [the guidelines], but also have certain concerns that the guidelines might go beyond what was agreed by the co-legislators in the legislative process," a commission spokesperson told The Privacy Advisor. "The scope shouldn't go beyond what was agreed in the trilogues."
The spokesperson would not be drawn on the commission's specific concerns. However, the issue of "observed data" was one of the most controversial aspects of the draft guidelines that the WP29 issued in December, and it was still there in the revised version that came out on 5 April.
Article 20 itself states that "the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."
The accompanying Recital 68Â explains: "That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
Strategies for simplifying complex Salesforce data migrations – Free Webinar
27 March 2024
5 PM CET – 6 PM CET
Read MoreYou Might Be Interested In
Luggage Tag Code Unlocks Your Flights, Identity to Hackers
3 Jan, 2017Booking a flight has become a simple process thanks to the Internet, and once you have flights secured you can …
How industry can protect privacy in the age of connected toys
7 Dec, 2016As we enter the season of holiday shopping, many of the most popular children’s toys on the market are designed …
Tech-Savvy Innovative Hotels Are More Vulnerable to Data Breaches
6 May, 2017The race to become the most innovated and tech-savvy hotel is on. Hotels have increasingly begun working with technology companies …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.